Data sheet

HP Fortify on Demand
Enterprise Software Security in the Cloud

HP is transforming the enterprise security landscape with its

Security Intelligence and Risk Management (SIRM) Platform. The
SIRM Platform uniquely leverages advanced threat research with
powerful correlation of security events and vulnerabilities. By
delivering unparalleled visibility across security assets in context of
business critical processes and applications we help our customers
manage their risk and maximize their security investments.

How HP Fortify on Demand works

Hosted software security

In houseCollaborate with your developers to test in-house

applications before you deploy into production.

HP Fortify on Demand is a Security-as-a-Service (SaaS) testing

solution that allows any organization to test the security of software
quickly, accurately, affordably, and without any software to install
or manage. This automated on-demand service helps organizations
with two key challenges:

CommercialProtect your investments by ensuring all

commercial software is secure before licensing.

1. Upload
Upload your binary or point us at your URL and receive a
comprehensive application layer test that encompasses static
and dynamic analysis. Leverage HP Fortify on Demand with your
build server to make uploads more frequent and automated for all
applications.

OutsourcedGuarantee that your outsourced code is written

securely.

Ensuring the security of applications licensed from third parties

Open sourceEnsure that any open sourced software is

compatible with your security expectations.

Increasing the speed and efficiency of building security into a

development lifecycle

2. Test

HP Fortify on Demand serves the role of an independent, thirdparty

system of record, conducting a consistent, unbiased analysis
of an application and providing a detailed tamper-proof report
back to thesecurity team. Users simply upload their application
binaries and/or provide a URL for testing. HP Fortify on Demand can
conduct a static and/or dynamic test, verify all results, and present
correlated findings in a detailed interface and report.
The HP Fortify on Demand highly secure SaaS environment is easy to
useno hardware, software or expertise required. Get started with
HP Fortify on Demand in three easy steps.

Our SaaS expert team will conduct a thorough audit of your

application for security vulnerabilities.
Static analysisUsers simply and securely upload binary,
byte, or source code and HP Fortify on Demand completes
awardwinning static analysis.
Dynamic analysisUsers provide the URL of any application
either in QA or production, and HP Fortify on Demand can be
scheduled to test automatically at one of three levels of service.
Expert reviewAll results are reviewed manually by a software
security expert to ensure the highest degree of accuracy.

Figure 1. Shown are the three key steps of the HP Fortify on Demand process.

1.

2.

3.
Review

Upload
Test

Customer uploads
software to the Cloud.

HP Fortify on Demand conducts a thorough

application security test (dynamic, static, or
manual) on the application.

Customer reviews and analyzes the results

of the application test in the form of a
detailed report or dashboard.

3. Review

Figure 2. Winner, Best Security Solution, 2011 CODiE Award.

Review detailed and correlated results.

Executive dashboardMonitor and manage all your application
testing projects from a single point of record. Development
and security teams can save time, effort and headaches by
communicating and collaborating through a central location.
Detailed reportingAssessments are delivered in a report
featuring a consistent five-star rating system typically in one
day. Results are correlated and prioritized by severity and
exploitability. Issues identified include line of code-level details
with suggestions on how to fix.

HP Fortify on Demand Executive Dashboard:

The Executive Dashboard shows key results for your application
testing projects from a single screen.

HP Fortify on Demand use cases

HP Fortify on Demand can secure any application, whether its
developed internally or by third-party organizations. Typically, its
used in these scenarios:

Security testing for internal applications

This enables any organization to test the security of all in-house
softwarewhether in development or deployed in production.
HPFortify on Demand establishes a security baseline across the
entire software portfolio. With no hardware or software to deploy or
maintain, customers can test more applicationshundreds or even
thousandsefficiently and effectively. Short on staff? The HP Fortify
team of experts provides all the testing and triaging necessary. With
an annual subscription, HP Fortify on Demand users enjoy unlimited
uploads and scans.

Security testing for third-party applications

HP Fortify on Demand provides an independent review of thirdparty
applications, allowing organizations to test software before
purchasing, and also allowing software vendors to demonstrate
the security of their software. Third-party vendors can upload the
binary and/or provide a URL, review the results, and then publish
a report back to their customer. This service compels commercial
vendors to take action to proactively fix vulnerabilities, while
allowing them to remain in control of their applications. Security
professionals can demand that high-priority problems be addressed
and verified during the procurement or upgrade process, prior
to acceptance. HP Fortify on Demand serves as an independent
thirdparty to conduct unbiased analysis of applications and provide
a detailed tamper-proof report back to the security team.

Security testing as a service is a way for

enterprises to reduce upfront costs and to
augment limited internal resources when
undertaking a software security program. This
technology area is growing and will have a
significant impact on the application security
market over the next 12-18 months. Joseph
Feiman, Ph.D., Research Vice President and
Gartner Fellow

Figure 3. You can choose an on-premise or on-demand solution.

On-demand

On-premise

Deployment

Easy: No deployment, no hardware, no training

Involved: Requires local installation and supporting hardware

Expertise required

Little: Results triaged by experts and delivered in easy to read reports

Significant: Requires expertise to set filters and triage results

Time to results

Days: 1 day per scan

Hours: Hours per scan

Control

Less: Standardized process

More: 100% controlinstant access to all capabilities at any time

Integration

Medium: Primary results are in report, but can be sent to bug tracking
systems and IDEs

Tight: Tight integration with build systems, bug tracking, revision

control, test

Selecting the right solution for you

How do you choose between an on-premise or on-demand solution?

HP Fortify on Demand benefits:

Easy to manage: no hardware, no software, no maintenance
Fast: Results in less than 24 hours

HP Fortify doesnt lock you into your investment. We offer both an

on-premise and an on-demand solution.

Flexibility to migrate easily and quickly to the HP Fortify

onpremise solution

Some companies start with HP Fortify on Demand due to the low

cost of ownership and the luxury of quickly jumpstarting their
software testing. Later, they may decide to bring the technology
in-house, once the expertise has ramped up.

Easy to get startedno need to wait for lengthy procurement,

approvals or deployments

Other companies select a hybrid model, with some applications

sent to the cloud for testing and others analyzed in-house during
development.

HP Fortify on Demand specifications:

With HP Fortify, customers have the flexibility to adopt either or

both an on-demand and an on-premise solution. Our on-demand
and on-premise solutions leverage the same analysis techniques,
vulnerability categorizations, and application rating systems. HP is
the only company that offers this flexibility in deployment.

Quickly pass compliance with PCI, HIPAA, FISMA and many other
standards

Static analysis
Binary, byte or source code for 18 different languages
Dynamic analysis
*

All Web applications

About HP Fortify on Demand

HP Fortify on Demand features:

Languages Supported

Best-of-breed analysis

ABAP

PHP

JavaScript/Ajax

Objective C

COBOL

JSP

Java

ColdFusion

Python

ASP.NET

Classic ASP

PL/SQL

C#

VB6

T-SQL

VB.NET

VBScript

XML/HTML

Market-leading static and dynamic capabilities

Analysis capabilities tested across 900+ customers
Largest, most experienced security research team
Correlated static and dynamic results with detailed priority
guidance
Accurate results, tailored to each application
All results manually reviewed by application security experts
Central testing program management for all applications

HP Fortify Software Security Center

HP Services

HP Fortify on Demand is a part of the HP Fortify Software Security

Center suite, a comprehensive solution for automating and
managing an application security program in the enterprise.

Keep your IT organization competitive and ready to evolve as your

business needs change. HP services are designed to lower your IT
costs, increase availability, reduce the complexity of multi-vendor
services, and system implementation.

HP Fortify Software Security Center proactively eliminates the

immediate risk in legacy applications, as well as the systemic risk in
application development processes.

About HP Enterprise Security

HP is a leading provider of security and compliance solutions for
the modern enterprise that wants to mitigate risk in their hybrid
environment and defend against advanced threats. Based on market
leading products from ArcSight, Fortify, and TippingPoint, the
HP Security Intelligence Platform uniquely delivers the advanced
correlation, application protection, and network defenses to protect
todays hybrid IT infrastructure from sophisticated cyber threats.
Find out more at hpenterprisesecurity.com.

Run your business s smoothly as your IT adapts to changing

business needs. The convenient pre-packaged HP Care Pack Service
options and custom support solutions cover the entire IT solution
lifecycle, to help you design, deploy, integrate, and manage an agile
infrastructure. hp.com/support/services
Your environments will achieve the high levels of availability
that your users demand when you utilize HP Mission Critical and
Proactive Services. hp.com/services/missioncritical
Manage, enhance, reduce costs, and streamline management of
your storage environments with the HP Storage Services Portfolio.
hp.com/services/storage
Transform your data center with HP data center services that help
you design and build an energy-efficient data center that will meet
your needs today and tomorrow. hp.com/services/datacenter
Capitalize on your IT environment capabilities with a partner
who understands server, storage, and network technology in a
multivendor environment. hp.com/services

Get connected
hp.com/go/getconnected
Current HP driver, support, and security alerts
delivered directly to your desktop
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and
services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial
errors or omissions contained herein.
Java is a registered trademark of Oracle and/or its affiliates.
4AA4-0664ENW, Created May 2012